Session
GIZ - Deutsche Gesellschaft fuer Internationale Zusammenarbeit
Carolin Kothe, Liquid Legal Institute e.V., Civil Society, Germany Western European and Others Group (WEOG) Tim Philipp Schäfers, Mint Secure GmbH, Private Sector, Germany, Western European and Others Group (WEOG) Lars Radscheidt, GIZ - Deutsche Gesellschaft fuer Internationale Zusammenarbeit, Private Sector, Germany, Western European and Others Group (WEOG)
Carolin Kothe, Liquid Legal Institute e.V., Civil Society, Germany Western European and Others Group (WEOG)
Tim Philipp Schäfers, Mint Secure GmbH, Private Sector, Germany, Western European and Others Group (WEOG)
9. Industry, Innovation and Infrastructure
16. Peace, Justice and Strong Institutions
16.a
17. Partnerships for the Goals
Targets: SDG 9: Industry, Innovation, and Infrastructure: Ethical hackers contribute to securing digital infrastructure, making industries and innovations more resilient to cyber threats. SDG 16: Peace, Justice, and Strong Institutions: Promoting ethical hacking helps combat cybercrime, supports legal frameworks for cybersecurity, and ensures a safer digital space. SDG 4: Quality Education: Raising awareness and providing ethical hacking education fosters cybersecurity skills and responsible digital citizenship. SDG 17: Partnerships for the Goals: Collaboration between ethical hackers, governments, and private sectors strengthens cybersecurity frameworks and global internet governance.
Ethical Hacking for a Safer Internet: Strengthening Cybersecurity Through Ethical Practices In an era of growing cyber threats, ethical hackers play a crucial role in securing the digital landscape. This Lightning Talk at the Internet Governance Forum (IGF) will highlight the challenges and contributions of ethical hackers in strengthening cybersecurity. Ethical hackers, often referred to as "white hat" hackers, use their skills to identify and fix vulnerabilities before malicious actors can exploit them. However, their work is often misunderstood, and they frequently face legal and ethical uncertainties. This session will explore the crucial role of ethical hacking in protecting online infrastructure, businesses, and individual users. It will also address the need for clearer legal frameworks, greater public awareness, and stronger collaboration between governments, the private sector, and ethical hacking communities. Additionally, the session will include a legal comparison within the European Union, examining how different jurisdictions regulate ethical hacking and the challenges posed by varying national laws. By analyzing these legal perspectives, we aim to shed light on the need for harmonized regulations that support ethical hackers while ensuring cybersecurity. By recognizing and supporting ethical hackers, we can foster a safer and more resilient internet for all. Join us for an engaging discussion on how ethical hacking can drive positive change in global cybersecurity efforts.
n.a. as lightning talks will be held without streaming.
Report
Summary:
The discussion titled "Ethical Hacking for a Safer Internet" highlighted on legal challenges and reform needs for ethical hacking and the urgent need for clear legal protections for ethical hackers. Tim Philipp Schäfers (Mint Secure) and Carolin Kothe (Liquid Legal Institute) emphasized that ethical hacking - defined by intent, authorization, and method - is vital for cybersecurity but often legally risky.
They distinguished between authorized (e.g. penetration testing, bug bounties) and unauthorized but benevolent hacking done for public benefit. Despite playing a key role in identifying vulnerabilities, ethical hackers face legal uncertainty due to vague or inconsistent laws across jurisdictions. Poland was cited as a rare example of clear legal protection, while most countries rely on prosecutorial discretion or justification defenses, which leave researchers vulnerable.
The speakers proposed four key reforms: legal clarity, explicit immunity for good-faith actors, reframing the public image of hacking, and a clear legal distinction between ethical and malicious hacking. They also called for international harmonization of laws to match the global nature of cybersecurity threats.
In conclusion, current laws hinder - not help - digital security. Comprehensive legal reform and greater public understanding are essential to support ethical hackers and safeguard critical systems.
Session Report:
The discussion "Ethical Hacking for a Safer Internet" brought together Tim Philipp Schäfers (Mint Secure) and Carolin Kothe (Liquid Legal Institute) to examine the pressing legal uncertainties surrounding ethical hacking and propose actionable reforms. The speakers emphasized that ethical hacking - despite being essential to modern cybersecurity - often exists in a legal gray zone due to outdated or inconsistent laws.
Ethical hacking, they explained, should be defined by intent, authorization, and methods used, rather than just the technical act of accessing systems. Kothe differentiated between authorized ethical hacking (e.g. penetration testing and corporate bug bounty programs) and unauthorized but socially beneficial hacking, where individuals act in good faith without formal permission. Schäfers linked this practice to the long-standing hacker ethic, which promotes improving system security without causing harm.
Both speakers highlighted the indispensable role ethical hackers play in identifying vulnerabilities that internal teams may overlook. They noted that most security incident reports received by computer emergency response teams (CERTs) come from external researchers, whose contributions have helped prevent serious breaches. However, despite their value, these individuals often face legal threats - even when they act responsibly and disclose findings through proper channels.
The legal landscape across jurisdictions remains fragmented and inconsistent. While Poland stands out for offering explicit legal protection for good-faith security research, most countries lack such clarity. Some legal systems treat unauthorized access as a crime regardless of intent, while others factor in harm, enrichment, or authorization differently. This patchwork of laws creates fear and hesitation among security researchers, and in some cases, drives them to remain anonymous or even abandon legitimate activity.
Current legal mechanisms - such as prosecutorial discretion or justification defenses—offer little real protection. Researchers may still be investigated, face reputational harm, or be restricted from publishing their findings. Schäfers noted the emotional toll this legal ambiguity places on ethical hackers, who often feel they are risking their careers to improve public safety.
To address this, the speakers proposed four core reforms:
- Legal certainty through clear guidelines for responsible disclosure;
- Explicit immunity for ethical hackers acting in good faith;
- Reframing public and legal perceptions of hacking to reflect its societal benefits;
- Clear legal distinction between ethical and malicious hacking within statutory frameworks.
They also stressed the need for international harmonization, recognizing that cybersecurity is a global issue and fragmented laws only complicate responsible cross-border research. During the audience Q&A, additional concerns emerged - such as the risk of increased surveillance under laws requiring proof of benign intent, and the potential for legal uncertainty to push talent toward malicious activities. Schäfers pointed out that many ethical hackers already use anonymous channels to avoid legal exposure.
In conclusion, the speakers agreed that the current legal environment fails both cybersecurity and justice. They called for comprehensive reform - beyond piecemeal solutions - to protect those who work in the public interest. Their call to action included engaging with lawmakers, companies, and the public to improve legal understanding, push for better policy, and ensure ethical hacking is recognized as a legitimate and essential part of securing digital infrastructure.
